
High-Velocity Intrusions: Storm-1175 Chains Zero-Day and N-Day Exploits in Global Medusa Ransomware Campaign
Indicators of Compromise
No domains found for this campaign
APT Groups1
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
DETECTION
Detection ID | Detection Name | Description |
Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns | Detects adversary use of tools (del, cipher /w, SDelete, rm -rf, shred, dd) to recursively delete or overwrite files at scale. Covers Windows, Linux, macOS, IaaS, ESXi, and Containers. Correlates process creation, file deletion events, and syscall burst rates within a time window. | |
Behavior-chain detection for T1610 Deploy Container across Docker & Kubernetes control/node planes | Remote/API-driven container creation and start whose image is not on an allow-list, executed by a non-admin principal and/or with risky runtime attributes (--privileged, host namespaces, sensitive mounts). Correlates create → start → first network/process actions within a short time window. | |
Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly) | Adversary ships a tampered application or update: installer writes or replaces binaries; on first run spawns scripts/shells or unsigned DLLs and beacons to non-approved hosts. Correlates installer execution → file metadata changes → first-run children → outbound connections within 90 min. Covers Windows, Linux, macOS. |